Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cyfast-extension #3547

Closed
bhupathiraju1998 opened this issue Sep 27, 2023 · 14 comments
Closed

Cyfast-extension #3547

bhupathiraju1998 opened this issue Sep 27, 2023 · 14 comments
Labels
hosting-request Request to host a component in jenkinsci needs-fix security-audit-needs-correction The security audit revealed issues that must be corrected from the hosting request

Comments

@bhupathiraju1998
Copy link

bhupathiraju1998 commented Sep 27, 2023

Repository URL

https://github.com/bhupathiraju1998/cyfast-extension

New Repository Name

cyfast-extension-plugin

Description

CyFAST Extension

How to configure
Free style Project :-
select the cyfast extension plugin in the build step and give necessary input values like project id and orchestration id , username , password and the VM url.

Pipeline project:-
select the pipeline syntax while genrating the pipeline and go to snippet generator and select the general build step and select cyfast extension and give necessary input values like project id and orchestration id , username , password and the VM url.

GitHub users to have commit permission

@bhupathiraju1998

Jenkins project users to have release permission

bhupathiraju1998

Issue tracker

Jira

@bhupathiraju1998 bhupathiraju1998 added the hosting-request Request to host a component in jenkinsci label Sep 27, 2023
@jenkins-cert-app
Copy link
Collaborator

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository.
It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command.

Security team only:

  • /audit-ok => the audit is complete, the hosting can continue 🎉.
  • /audit-skip => the audit is not necessary, the hosting can continue 🎉.
  • /audit-findings => the audit reveals some issues that require corrections ✏️.

Anyone:

  • /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository 🔍.
  • /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings 👀. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.19.14)

@jenkins-cert-app jenkins-cert-app added the security-audit-todo The security team needs to audit the hosting request code label Sep 27, 2023
@github-actions
Copy link

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @bhupathiraju1998 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @bhupathiraju1998 (reports are re-synced hourly, wait to re-check for a bit after logging in)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@jenkins-cert-app
Copy link
Collaborator

❌ Jenkins Security Scan failed.
The Security team was notified about this.

@bhupathiraju1998
Copy link
Author

/hosting re-check

@github-actions
Copy link

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @bhupathiraju1998 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @bhupathiraju1998 (reports are re-synced hourly, wait to re-check for a bit after logging in)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@Wadeck
Copy link
Collaborator

Wadeck commented Sep 27, 2023

@bhupathiraju1998
Copy link
Author

/hosting re-check

@github-actions
Copy link

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @bhupathiraju1998 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @bhupathiraju1998 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The 'artifactId' from the pom.xml (cyfast extension) is incorrect, it should be cyfast-extension ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@bhupathiraju1998
Copy link
Author

/hosting re-check

@github-actions
Copy link

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @bhupathiraju1998 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @bhupathiraju1998 (reports are re-synced hourly, wait to re-check for a bit after logging in)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@github-actions
Copy link

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: bhupathiraju1998 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: bhupathiraju1998 (reports are re-synced hourly, wait to re-check for a bit after logging in)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@NotMyFault
Copy link
Member

/request-security-scan

@jenkins-cert-app
Copy link
Collaborator

The Jenkins Security Scan discovered 3 finding(s) 🔍.
For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.


Stapler: Missing permission check

You can find detailed information about this finding here.

FastBuilder.java#192
Potential missing permission check in DescriptorImpl#doCheckName

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

FastAction.java#10
Field should be reviewed whether it stores a password and is serialized to disk: accessToken
FastBuilder.java#43
Field should be reviewed whether it stores a password and is serialized to disk: password

@jenkins-cert-app jenkins-cert-app added security-audit-needs-correction The security audit revealed issues that must be corrected from the hosting request and removed security-audit-todo The security team needs to audit the hosting request code labels Sep 29, 2023
@alecharp
Copy link
Contributor

alecharp commented Dec 7, 2023

I found some issues with the plugin current configuration:

The current state of the plugin doesn't seems to be complete.

Because the last comment was published in late September and no actions were taken to remediate the discoveries, I'm closing this ticket. Don't hesitate to re-open this request once you had the chance to resolve the issues so we can host your plugin in the community.

@alecharp alecharp closed this as completed Dec 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
hosting-request Request to host a component in jenkinsci needs-fix security-audit-needs-correction The security audit revealed issues that must be corrected from the hosting request
Projects
None yet
Development

No branches or pull requests

5 participants